Sample ICS Security Incident: Hackers Shut Down Crude Oil Loading Terminal For 8 Hours

We had a request recently from a reader to provide an example of a malicious attack by outsiders on a control system, how it was done, and what impact it had on the plant and the owner. This is surprisingly tough to do, because according to RISI the vast majority of security incidents are internal and/or accidental in nature. Additionally, people whose control systems have been hacked do not like to talk about it - why give attackers more info and ideas than they already have?

That being said, try this on for size...

In the winter of 2002-2003, Venezuela was in the grip of a general strike - the largest and longest strike in Latin American history. Lasting from Dec. 2  2002 through Feb. 2 2003, the strike paralyzed the entire country.  During this period, acts of sabotage were carried out on the SCADA systems responsible for loading oil tankers at a marine terminal in eastern Venezuela.

In one such incident, the hackers erased the programs in the programmable logic controllers (PLCs) operating the facility, preventing tanker loading for eight hours. Fortunately for the oil company, the tactics of the attackers were unsophisticated, making detection of the problem relatively easy, and backups of the PLC programs were unaffected, making recovery straightforward.

We don't have data that identifies the attacker(s), but some of the published information makes us suspect it was likely done by outsiders. First it is important to remember that this was not a normal union versus management strike. Rather it was a general strike throughout the country that involved millions of people and was driven by political objectives.  Secondly, it seems clear that the attack was done by someone who did not have intimate knowledge of the plant. As mentioned earlier, the tactics employed were not sophisticated - they simply erased the PLC's ladder logic program.

An attacker with inside knowledge would likely disable the PLC in a way that made it very difficult to recover - for example, introduce an obscure error into the PLC logic that was difficult to find, and then change both the operating program and the backup copy so it would be almost impossible to restore the PLC to operational condition without getting a control system engineer involved.

In any event, this particular incident cost about one day's worth of production for the oil company which I'm sure represents a significant amount of lost revenue. Thankfully there appears to have been no safety or environmental impact, so we can limit ourselves to looking at the financial loss. My guess is that a well-thought-out cyber security solution for this control system would have paid for itself by mitigating just this one incident. The difficult thing about justifying such an investment however, is that the end result of the investment is - NOTHING HAPPENS. How do you prove that the security measures worked? (One answer might be "good forensics" - but that's a topic for another blog entry...)

Cyber security can be a little like pest control - sometimes it's difficult to get management on board unless you've already suffered from an 'infestation'. Our hope is that those who have not experienced such an incident can learn from the misfortune of others, and be proactive in securing their control systems.